Sunday, March 22, 2015

EMV in the United States: The Story So Far

A friend of my parents with his own business was asking them about chip cards and contactless. Since I've babbled on about it with them before (mostly as a result of my following the very long, ongoing US EMV Card thread on FlyerTalk), they ask if I could explain the difference. I realized I was writing quite a lot and figured I might as well post it on my blog.

The magnetic stripe credit cards we use today aren't very secure. The magnetic stripe doesn't
change, so what criminals do is is get a device that copies the
information off the magnetic stripe, and then writes that information
onto another card. This process is called cloning. The name
printed on the cloned card likely matches the criminal's ID (which is
itself likely a fake ID), so that if a merchant asks for ID, the name
printed on the card will match the name printed on the ID, and the photo
on the ID will be a photo of the criminal himself, so everything will
look good to the cashier (assuming they don't look too closely at the
cardholder name printed on the receipt, which would come from the
magnetic stripe data copied from the original card).

For one
example of a credit card cloning setup, see these pictures of a fake New
York City taxi, and note in the last one two credit card swipe
machines, one real one to process the fare, and another one to read the
magnetic stripe data off the card and store it to clone later.

Another
easy way would be to target a waiter in a restaurant, since they often
take credit cards away from the customer's table and swipe them
somewhere out of customers' view, which would make it easy for them to
swipe it through a second reader to clone the data. I'll come back to
this later and show how Chip and PIN can lead to a solution to this problem.

The
problem with the magnetic stripe is that it never changes. Every time
you swipe the card, the same information gets transmitted to the card
issuing bank. And they don't even have to get the physical card. In
several of the credit card breaches in the past few years including
Target and Home Depot, card information was stolen right out of the
merchant's point of sale computer systems.

So, the fix is to come
up with a way to have some of the information on the credit card change
each time you use it. Fortunately, there is, and it's called a smart
card. All a smart card is is a plastic, credit card sized card with a
small embedded computer, and an exposed metal pad that allows the card
to make contact with a reader of some sort. Some people have smart cards issued by their employer that they used to log into their computers (including the US Government's CAC and PIV cards). I've also seen laundry machines that used smart cards instead of taking coins.
A special credit card machine was used to load money onto the card from a credit or debit card. And now credit cards that are actually smart cards exist.

Actually,
they're nothing new. The first smart card payment card was a Carte
Blanche card deployed in France in 1986. In the 1990s, Europay,
MasterCard, and Visa collaborated to develop a standard, first released
in 1995, called EMV (which stands for Europay, MasterCard, Visa). Today, EMV is the standard for payment cards
worldwide, and in addition to MasterCard (which absorbed Europay) and
Visa, the organization that oversees the standard now includes American Express, Discover, Japan's JCB, and China UnionPay.

What an
EMV credit card does, in addition to storing the card number and other
information we're used to, is generate a unique code per transaction
called a cryptogram. The cryptogram is what's called a digital signature that verifies the transaction details. Change any of the details about the
transaction, and the cryptogram won't match. Since the private key used to generate the cryptogram can't be removed from the card,
this proves that the correct original card was used. It also means that
if account information is taken from a merchant's computers, it's not
useful since they can't change any of the transaction details without
invalidating the cryptogram.

But, there's a catch. EMV cards
still have magnetic stripes, because not every merchant has EMV-capable
credit card terminals. And right now, what is the one huge market, with a
high rate of credit card use, that doesn't have EMV?

The United States of America.

EMV
is standard across Europe. Across Asia. Across Latin America. Canada
has it. Mexico has it. But the United States is behind. Why?

For
one thing, ever since we moved from imprinting the embossed numbers on
carbon paper to the magnetic stripe in the first place, transactions are
authorized in real time. Over time, banks have implemented more complex
fraud detection algorithms, so they have other ways of detecting
suspected fraud. In other countries, the cost of having a payment
terminal make a telephone call to the bank every time a card was swiped
was prohibitive, so other ways of attempting to see if the transaction
was legitimate or not were needed. Thus, the use of a PIN, a number the
cardholder could enter into a payment terminal, and could be
authenticated by the card itself, rather than the bank. Then, at the end
of the business day (or whatever time was convenient), only one phone
call was needed to transmit all of the day's credit card transactions to
the bank.

Combine that with just how big and profitable, the US
credit card industry is. We have so many people running so many credit
and debit card transactions every day, that even with the fairly small
cut that the credit card issuers and payment networks (Visa, MasterCard,
etc) take, the amount of money they lost due to fraudulent transactions
was actually rather small. In 2010, losses due to credit card fraud were reported as 4.46 cents for every $100 in credit and debit card transactions worldwide. So it wasn't worth the effort
and expense to migrate the US to EMV, even as fraud in the US increased
as it decreased elsewhere. Thieves abroad were able to steal and
sell credit card details that, while they couldn't be used in their home
country, could be used in the US.

There also wasn't a big consumer demand for more secure credit cards. Federal law limits cardholder liability for fraudulent transactions to $50, and competitive pressures resulted in virtually all issuers now offering $0 cardholder liability on their cards.

So what happened?

Target got hacked. It wasn't the first credit card data breach that happened,
but it got a lot of publicity because so many people were affected. And
after that, the breaches just kept on coming. Albertson's. Staples. PF
Chang's. Kmart. Jimmy John's. Neiman Marcus. Michael's. The UPS Store. Diary
Queen. Goodwill. JP Morgan Chase. And let's not forget Home Depot, the
biggest of them all with 56 million credit and debit cards compromised,
compared to 40 million at Target. But starting with the Target breach
and coming yet again every time another breach was reported, people
started asking if there was something better that could be done. Could
we make our credit cards more secure?

The answer was staring us
in the face. From across the Atlantic, the Pacific, and across our
northern and southern borders. Every American who had to stand in line
to buy a train ticket in Paris because the kiosk wouldn't accept their
credit card, who had to pay cash for a train ticket in The Netherlands
because they only take Chip and PIN credit cards, who had to make sure
they got gas for their rental car at an attended gas stations in Europe
because the pay at the pump machines only took chip cards, who had to
wait for a European cashier to find a pen so they could sign the
receipt, who had to argue with a merchant that barely spoke English that
Visa required them to accept their chipless credit card knew the
answer.

EMV.

EMV wasn't completely unheard of in the
United States. The United Nations Federal Credit Union (whom, as you
might suspect from the name, has a fair number of members who travel
overseas) was the first US financial institution to
issue an EMV credit card, in 2010. The four big payment networks (Visa,
MasterCard, American Express, and Discover), had set a date of October
2015 for a liability shift (I'll get to that in a bit). Some people
probably thought the date would be pushed back. But after the Target
breach and the "can we make this more secure?" questions seriously
started to be asked, that date started looking a lot more firm.

So
what is this liability shift? It has to do with who is liable for
fraudulent credit card transactions. Normally, the issuer of the credit
card holds that liability. The liability shift incentivizes a migration
to EMV by shifting liability to the weakest link in the chain. Really,
only one thing changes, but it's the key: If an EMV card is used in a
magnetic stripe terminal, the merchant assumes liability for any
fraudulent transactions. Thus, the card issuer is incentivized to
replace their magnetic stripe only cards with EMV cards, in order to
avail themselves of the opportunity to shift some liability away from
themselves. Meanwhile, the merchant is incentivized to replace their
magnetic stripe only credit card terminals with ones that can use EMV,
so that they can shift that liability away from themselves and right
back to the issuing bank. And since fraud goes down since there's one
less way to do it, the bank still wins because they lose less to credit
card fraud.

So in 2014, EMV migration started seriously happening
in the US. The major card issuers, and some of the smaller ones,
started migrating their credit card products to EMV. Issuers with a
presence in other countries (like American Express, Capital One, and
Citibank) had been issuing EMV cards in those countries for years, but by 2014 started offering EMV in the US as well. At one extreme, American
Express now claims that all of its card products are now offered with EMV,
including cards that they no longer take new applications for, like
Zync. At the other extreme are banks like Capital One, which was late to
start and currently offer it only on the Venture and VentureOne cards
(but have been offering EMV cards in Canada for years). But its
happening, with more and more cards being converted. One of the most
recent is Chase's United MileagePlus Club and Explorer cards, which have
only started being offered so recently that they don't show up with
chips on Chase's web site yet (but I've seen pictures of actual cards,
so I know they exist) and not all phone reps will know about it if
people call to ask to get a chipped version.

But issuing EMV
cards isn't enough. Merchants have to take them, and not continue to
rely on the magnetic stripe. The magnetic stripe on an EMV card still
has unchanging data and still can be cloned. And if a merchant is
processing transactions with magnetic stripes, the situation hasn't
improved. The banks will have spent a bunch of money to send out new
cards (which are themselves more expensive; it should seem obvious that a
piece of plastic with a tiny computer embedded in it would cost more
than one without) but fraud won't go down. Thus, the liability shift to
get merchants to upgrade terminals on their end, and to do it now rather
than waiting for their current terminals to wear out and be replaced in
a few years.

But what prevents an EMV card (whether authentic or
one whose magnetic stripe has been cloned) from being used with a
magnetic stripe terminal anyway, since nearly all EMV-capable terminals
(basically, anything that's not an unattended kiosk in a country that
made the migration to EMV years ago) have magnetic stripe readers too? The EMV specification accounts for that. Included on the magnetic stripe is something
called the Service Code, and included in that is an indicator that the
card has an EMV chip. A non-EMV terminal wouldn't recognize that and
just ignore it and process the transaction normally, but an EMV-capable
terminal would see the Service Code indication that it's an EMV card,
stop the transaction, and prompt the user to insert the card into the
chip reader. If the customer is presenting a card that doesn't have a
chip, but the terminal is prompting them to insert the card into the
chip reader, the merchant can be pretty confident that their customer is a
criminal attempting to use a cloned credit card.

So in order for
everyone to see the benefits of reducing credit card fraud, we need to
see lots of merchants upgrade their terminals. When the majority of
merchants have EMV terminals, and the majority of cards are EMV,
criminals will have a hard time using cloned credit cards since not many
places will accept them, and swiping in general will become the
exception rather than the norm.

Where else have we seen this type of scenario? Vaccine herd immunity.

So,
that's great. Fraud will go down, credit cards will be easier to use
overseas again, everyone will be happy. End of story, right?

Nope.

There's
a couple problems. The first I think will resolve itself soon enough.
Lots of stores, especially big chain stores, have EMV capable terminals.
But they haven't turned them on yet and still force you to swipe. The
one big exception is Walmart (including Sam's Club), which has enabled
EMV. I think the problem is that the big chain stores have complex
custom point of sale systems that need to be modified to support EMV,
compared to smaller merchants whose credit card terminals aren't
connected to anything but a phone line or an Internet connection. So for
them, migration is just getting a new terminal and asking their
acquirer to enable EMV on their account. The larger merchants will get
there, and many of them have said they're working on it. I think a
problem is some peculiarities introduced by US debit cards to allow the
transaction to route over either the credit or debit networks, but I
have no reason to believe that won't get sorted out soon.

The second problem is more complicated.

The media is lying to you.

You've
probably seen or heard stories about how US banks are now issuing "Chip
and PIN" cards, and how you use the card will soon change. But like so
many things, the devil is in the details, and the mainstream media gets
it wrong.

EMV defines at least two ways for a credit card holder
to prove who they are, signature or a PIN (and there are a few
variations on how the PIN is handled, but that's more detail than I need
to get into here). These are called Cardholder Verification Methods, or
CVMs. And you've likely used both of these methods with non-EMV cards. If you've ever used your debit
(as opposed to credit) card at a store, you were probably asked "credit
or debit?" The labels are badly chosen, and either way the money comes
right out of your bank account, but the difference is that if you choose
"credit", your transaction is processed over Visa or MasterCard's
credit card network and processed like a credit card, where you sign a
receipt for the purchase. Or you can choose "debit", where the
transaction is processed over an interbank network like STAR, Pulse,
Cirrus, or NYCE, you enter the PIN number you'd use to withdraw cash
from an ATM with the same card, and you don't have to sign. Oh and as an
interesting side note, prior to migrating to EMV, Australian banks
issued swipe and PIN credit cards.

So the EMV standard supports
both. The banks that issue EMV credit cards decide which CVMs they want
to support, and program that information into the chip. Credit card
terminal manufacturers do as well. Typically, a manned terminal will
support both, since it has a number pad (needed to allow the cashier to
enter the payment amount) and thus can accomodate PIN entry, as well as a printer to
print the receipt, which allows the merchant to print a second copy of
the receipt and collect a signature. A convenient setup is to have an
external PIN pad placed on the customer side of the counter, to allow
them to enter their PIN without the merchant having to hand over the
full payment terminal. These PIN pads can have built in card readers
as well, allowing the customer to insert or swipe their own card rather than having to hand it to the cashier. They
might also have the necessary hardware to support contactless payments
(I'll get to those eventually) too. Make them a little fancier and you
have the terminals you've been using for years at big chain stores where
you sign or enter the PIN on a digital pad using an electronic pen. Look carefully at
the bottom, and you might see a card slot, but unless you're at Walmart or Sam's Club,
it probably won't work. At some places, like Target, it might even be
covered up.

But, we have a problem. Not all terminals support
both. In particular, those pesky European train ticket kiosks and pay at
the pump gas stations. Since those countries tend to be primarily Chip
and PIN, they assume that the cards will support PIN as well.

Remember
how I said the issuer decides what CVMs they support, and programs that
information into the card. Well, the way that typically works is that
the terminal reads the list from the card and chooses the first one that
works for it. So the convention is that the highest priority CVM for
purchases (cash advances are always first, and are pretty much always
PIN) defines whether the card is Chip and PIN or Chip and Signature.
European and Canadian cards are normally Chip and PIN, since they put
PIN above signature. But nearly all US cards are Chip and Signature. Not
all hope is lost, since the US isn't the only country where Chip and
Signature is normal; Singapore is another. And there are a few Chip and
PIN cards being issued in the US.

But Chip and PIN or Chip and
Signature really only refer to the highest priority option. I suspect
that all PIN cards put Signature somewhere on their list. But not all
Signature cards have support for PIN. Barclaycard US (I note US since
they're a subsidiary of a British bank that would do this
differently) is one of the best, since their cards, including Arrival+
and the HawaiianMiles cards, as their cards not only does it support PIN, but all the variations on
how the PIN can be handled (USAA and SunTrust Bank also fall into this
category), so they've got the best chance of acceptance worldwide. Next
are banks like Wells Fargo, Citibank, and Bank of America (though BofA
reps deny their cards support PIN for purchases, they actually do),
which support some but not all PIN modes, so there's still a chance of
not finding a matching CVM. Finally, there are issuers like American
Express, Capital One, and Chase, which don't support PIN for purchases
at all for their US-issued cards. MasterCard is a bigger advocate of PIN than Visa (which is
heavily promoting Chip and Signature in the US), so there's a better
chance that a MasterCard will support PIN of some sort.

But there
is one thing that will help. Visa is pushing to ban PIN-only kiosks,
but it's yet to be seen if they'll really be successful. What they're
doing is trying to get the PIN-only kiosks to be modified to support
another CVM I haven't mentioned yet called "No CVM". This is what it
sounds like, where the card tells the terminal not to perform cardholder
verification. This is also what happens when you use a kiosk in the US
and you just swipe your card and don't sign anything (being asked for
your zip code is really something else called address
verification--online purchases do this too when they ask for your
billing address separate from a shipping address--and is a source of as
much annoyance to foreign visitors to the US as not having a PIN-capable
card is to Americans overseas).

But even then we still have a
problem, and that is merchants who are reluctant to accept signature
transactions. They may be required to accept all valid cards (Chip and
PIN, Chip and Signature, or magnetic stripe), and some bank customer
service reps would outright tell their customers this when they would
call to enquire about EMV cards (Capital One was notorious for this),
but try explaining that merchant in rural Bulgaria who doesn't speak
much English. And merchants are frequently selective about what rules
they follow with respect to credit card acceptance. I still see
merchants with signs that state an extra fee for credit card purchases;
although they're no longer prohibited by Visa and MasterCard, they are
still prohibited by state laws in California and some other states. And people
have reported merchants in Australia not wanting to take Chip and
Signature cards there, after that country converted to Chip and PIN last
year, even though they're explicitly told that foreign issued cards may
still be signature and those are still valid. The UK is an interesting
case, since even though it's Chip and PIN, banks issue Chip and
Signature cards to customers with certain disabilities, and thus refusal
to accept a Chip and Signature card means the merchant risks running
afoul of British laws prohibiting discrimination against disabled
persons.

But none of that is a big deal if you're not much of an
international traveller, since most cards issued in the US are Chip and
Signature, and Chip and Signature is the least change from our current
swipe and sign model. And some cards support PIN in one form or another,
increasing the chances that the card will work abroad.

But what
if you are a frequent enough international traveller that you want to
avoid the hassle of being stuck with a Chip and Signature card in a Chip
and PIN country. Or you feel, as I do, that a signature is pretty
worthless as a form of cardholder verification (either the card itself
is stolen, which has the signature written on the back for the thief to
copy, or the card is cloned in which case they can make up whatever
signature they want to put on the back of the card and on the receipt).

Fortunately,
there are options out there. The United Nations Federal Credit Union
card mentioned earlier as having the first US-issued EMV credit
card is Chip and PIN. The Harvard Alumni card is also Chip and PIN, as
is the Diner's Club card from BMO/Harris Bank, which unfortunately isn't
currently accepting new applications. First Tech Federal Credit Union
is preparing to switch from Visa to MasterCard, and it appears that the
new MasterCards will be Chip and PIN. There's also a couple of wildcards: Walmart
has stated a preference for Chip and PIN, and while the current Walmart
and Sam's Club issued cards are Chip and Signature, they are supposed to
start issuing Chip and PIN versions this year. Another wildcard is
Target, which also claims to be coming out with a new Chip and PIN
REDcard MasterCard, though as it hasn't been released yet, it remains to
be seen whether this will truly be Chip and PIN or if the term is being
used generically to refer to EMV chip cards.

However, it looks
like Chip and PIN may itself have a few problems in the US. Some
merchants might not acquire customer-facing PIN pads, which would make
it difficult (though not impossible) to use a Chip and PIN card since
the customer would have to get access to the payment terminal normally
used by the cashier, likely by either handing the card across the counter to the customer, or the customer walking around behind the counter.

A bigger problem is restaurants. Currently,
many restaurants use a model where the server takes the customer's card
away from the table to process the payment somewhere else. With Chip and
Signature cards, this works no differently than today since a receipt
is printed and the customer signs it, no different than if it was
swiped. But if the card is Chip and PIN, the card terminal is some
distance away from the customer. With the current model, the customer
would end up having to follow the server to the payment terminal to
enter their PIN.

The other option would be for restaurants to
change the way they work. One is to adopt a model where the customer
pays a cashier near the restaurant's entrance. Some places do this, but
they're typically more casual restaurants like Denny's, so many
restaurants might not want to change to this model for fear of being
seen as less service oriented or moving downscale.

However, there
is another solution that's already available, and yet again we can look
to Europe and Canada to see it in use. There, in many restaurants, when
it comes time to pay, instead of the server taking the credit card away
from the customer, the server has a portable wireless terminal where
the chip card can be read (and non-chip cards can be swiped) right at the customer's table. The server
hands the terminal to the customer to enter any tip (which has the
bonus of eliminating tip fraud where the server changes the tip amount
after the fact) and enter their PIN. For a Chip and Signature card, all
that changes is instead of entering a PIN, they sign the receipt that
gets printed on the terminal's built-in printer. So not only have
we solved the PIN problem, we've eliminated tip fraud and removed the
opportunity for a card's magnetic stripe to be cloned out of sight of
the customer. It remains to be seen if American restaurants will adopt this technology though.

My
current thinking is, for someone who doesn't travel internationally (or
mainly to Chip and Signature countries like Singapore), any card issued
today in the US is fine. But if they do travel to Chip and PIN
countries, or prefer the added security of a Chip and PIN card, they
might want to investigate a Chip and PIN card to have in addition to a
Chip and Signature card; at this point I'd hesitate to have only a Chip and PIN card in the US until we see how restaurants are going to handle them.

So,
one question that people might ask is, since the US is so late in making the transition to EMV, why not skip EMV chip cards entirely and go straight to mobile
payments?

A good question. The simple answer is that, while it
may seem like everyone has a smart phone, that's not really true, lots
of older ones and even some still on the market (such as the iPhone
5S) don't have the necessary hardware to support contactless payments,
and even a dumb phone is expensive to produce compared to a chipped
credit card. Plus, phones have batteries that can run out.

But
contactless doesn't have to mean just phones, though it seems like
mobile payments (and Apple Pay in particular) is the driving force to
get people in the US interested in contactless payments. In many other countries, it's
common for credit cards to have the contactless capabilities built right into the card itself, so that people
can just tap their cards, rather than inserting the card into the chip reader. The technology is available in the US, but despite advertising,
never became terribly popular and so it's much less common for US-issued
cards to have them. But they are out there, and with interest in Apple
Pay, cards with built in contactless as well as other mobile phone
payment systems like Google Wallet will also become more accepted as
merchants enable support for Apple Pay.

Which is because, as it
turns out, Apple Pay is EMV! Specifically, it uses the same protocols as
defined in the EMV specification for contactless cards to communicate
with the the terminal. It also supports another form that is only used
in the US where the data sent is similar to the magnetic stripe data.
All this is transparent to the user, though. It's why Apple Pay works in
countries where contactless credit cards are more commonly used, even
though Apple Pay hasn't been formally rolled out in those countries.

Contactless
EMV in general seems equally secure to contact EMV. One concern that
may have hindered contactless acceptance in the US is a fear that people
would be able to wirelessly steal your credit card number without even
knowing it. This doesn't seem to have become an issue in countries where contactless is more common, and as with the risk of card information being taken
from merchants' computer systems, they still wouldn't be able to
generate a valid cryptogram thus making the information of limited use.
Issuers and merchants have also typically limited the transaction amount
allowed for contactless transactions, requiring either a card insertion
or PIN for higher value transactions anyway.

A second factor
that may have limited contactless popularity in the US is that many
merchants are able to waive collecting a signature for lower value
transactions, often those under $50. This makes swiping a magnetic
stripe card as fast as tapping a contactless one, compared to inserting a
chip card and entering a PIN, since PIN waivers for low value contact
EMV transactions seem rare to nonexistant. For example, at Walmart, a
customer using a Chip and PIN card will always be prompted to enter
their PIN, while a customer using a Chip and Signature card will only be
asked to sign if the transaction amount is above the store's threshold.

Apple
Pay takes contactless security a bit further with two things. One is
the use of the fingerprint sensor to authenticate the cardholder. PINs,
while better at authenticating a customer than a signature, can still be
observed and copied, but copying a fingerprint is rather more
difficult.

The second thing Apple Pay does is implement
tokenization, a process where the phone actually generates a unique card
number and stores and uses that, rather than the actual number printed
on the card. This unique number is translated in the payment network to
link it back to the cardholder's actual account, and setting this piece
up is why not all cards work with Apple Pay; the issuing bank needs to
have tokenization support working on their end. Tokenization is part of
the EMV specification and isn't unique to Apple Pay, so it's likely
we'll see this spread to other forms of payment, possibly including
contact EMV cards.

So, after all that, we've solved credit card fraud, once and for all, right?

Nope.

EMV
addresses what's called card-present fraud (where the card itself is
present at the time of the transaction), but does little for card-not-present fraud, which today tends to mean Internet transactions. Various
things have been tried, but nothing that has had the broad base of
consumer acceptance that EMV has. That's another topic for another day.